from the money-for-nothin'-and-your-clicks-for-free dept.
Wired reports that:
At the Black Hat conference in Las Vegas next month Ragan and Salazar plan to reveal how they built a botnet using only free trials and freemium accounts on online application-hosting services--the kind coders use for development and testing to avoid having to buy their own servers and storage. The hacker duo used an automated process to generate unique email addresses and sign up for those free accounts en masse, assembling a cloud-based botnet of around a thousand computers.
That online zombie horde was capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal.
"We essentially built a supercomputer for free," says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. "We're definitely going to see more malicious activity coming out of these services."
(Score: 3, Interesting) by Horse With Stripes on Saturday July 26 2014, @12:06AM
What these guys did may have been legal, though I'm sure it violated every TOS on every service they used. And what will happen now?
- most of these no cost options will be further limited or eliminated.
- a plethora of fucktards are going use this blueprint for less-than-legitimate purposes.
- these guys will probably get investigated - either behind the scenes or openly - by one or more of our collection of TLAs.
Though they exposed clear weaknesses in the "cloud" infrastructure they did it publicly which will serve to educate the low-skilled "bad guys" with ways to take advantage of things even more.
(Score: 3, Insightful) by Anonymous Coward on Saturday July 26 2014, @12:15AM
Weak captcha/account verification allowed this level of automation which is central to this hack. it is not the end of the world.
(Score: 3, Insightful) by bob_super on Saturday July 26 2014, @12:24AM
But it's easier to adjust TOS and force people to turn over a valid ID (theirs? nah), than it is to actually secure against bots. So it will make it worse for the rest of us.
(Score: 0) by Anonymous Coward on Saturday July 26 2014, @05:12PM
(Score: 3, Informative) by cafebabe on Saturday July 26 2014, @05:30AM
From my reading of the situation, they only used accounts to gain accounts. They didn't fully utilize the storage or processing power of the accounts that they'd gained. Many of the services will have terms and conditions which include clauses which prohibit cryptocurrency mining. Presumably, they didn't violate the terms and conditions but they were in a situation where it was trivial to do so on a large scale.
1702845791×2
(Score: 2, Informative) by Anonymous Coward on Saturday July 26 2014, @05:47AM
> Though they exposed clear weaknesses in the "cloud" infrastructure they did it publicly
> which will serve to educate the low-skilled "bad guys" with ways to take advantage of things even more.
RTFA, other people were already doing it as evidenced by changes in some TOSes during this group's low-impact testing.
At worst these guys sped up the process of cloud providers realizing that they shouldn't be stupid. It isn't about "nice things" it's about "dumb companies" with too much venture capital and too little planning.
(Score: 0) by Anonymous Coward on Saturday July 26 2014, @12:42AM
Goodbye university supercomputing facilities and computer labs, you have outlived your usefulness. The cloud is free! No way am I paying tuition for supercomputer access.
(Score: 2) by No.Limit on Saturday July 26 2014, @08:46AM
Just that supercomputers have bidirectional 20 GB/s or more interconnects which is pretty significant for supercomputing.
(Score: 3, Informative) by gman003 on Saturday July 26 2014, @05:50PM
To expand on what the other guy said:
They didn't build a supercomputer. They built a computer cluster. They may have had a huge amount of cumulative CPU power, but that doesn't make it a supercomputer.
There are a large number of problems that bottleneck not on CPU power, but on memory bandwidth. Particularly, cross-node memory bandwidth. That's what supercomputers provide - the entire system is running in one big memory space, and they use extremely fast links between nodes to overcome that bottleneck.
This thing? They almost certainly didn't even have a unified memory system across all their cloud machines. They could definitely have gotten high performance in any CPU-bound problem (like cryptocurrency mining), but on something like fluid simulation, a small rack of computers with Infiniband interconnects would destroy them.
(Score: 2) by choose another one on Saturday July 26 2014, @08:02AM
Azure T&Cs ban malware hosting & c&c, Azure gets used for malware anyway, MS legal gets court order to take over Azure domains due to illegal activity, MS disappears up own backside...